The IoT Cybersecurity Improvement Act 2020 | What Does It Mean for You?

An Interview with Eclypses Chief Innovation Officer, David Schoenberger

The United States Federal Government passed the first IoT security legislation. This bans federal agencies from purchasing IoT devices that do not meet certain security protocols. According to the IoT Cybersecurity Improvement Act 2020, all IoT devices must adhere to specific cybersecurity standards and device providers must abide by a vulnerability program. This act includes issues such as identity management, secure development, configuration management and patching processes.

Eclypses Chief Innovation Officer and co-founder of the MTE technology, David Schoenberger breaks down a few important questions and what we can expect moving forward.

What are the next steps right now?

David Schoenberger: Right now, this bill applies to government parties – not YET required by all manufacturers and security vendors. The National Institute of Standards and Technology (NIST) will provide an update by end of Q1 2021.

What should IoT device manufacturers be doing today to prepare for any upcoming regulatory changes

David Schoenberger: Be ready. My advice is to get ahead of the curve and follow the guidelines that are provided by NIST currently and start using tools by third parties that specialize in staying ahead of the mandates and provide NIST-level security. This includes vendors, manufacturers or subcontractors that are not working directly with the federal government.

  • Find flexible toolkits that solve security issues at the data level, rather than just trying to keep attackers out of the device.
  • Identify your asset class data, that if breached – would expose critical information of your user, mission, task, deliverable, etc. Secure those pieces of data individually in each packet that is sent from the device to the communication protocols.
  • Do not rely on communication protocol security.
  • Do not rely on shared-key or traditional managed key encryption. Only use key management solutions that are single-use and instantly obsolete from each transmission of data.
  • Do not rely on session-based security, secure each transmission within the secured sessions.
  • Select solutions that provide security to the lifecycle of the data journey — focus your efforts to deliver secured data packets to the final endpoint. Many devices only protect data to the first “hop” and not to the final endpoint (like the analytics engines, video player, SCADA system, etc.)

What is your advice to the end-user?

David Schoenberger: Be diligent, my advice is to:

  • Only choose applications and devices that can prove data security instead of intrusion security.
  • Only use devices that promise to deliver the data securely to the FINAL endpoint.
  • Only use devices that prove their security cryptography is NIST approved.

What can we expect moving forward?

David Schoenberger: The IoT Cybersecurity Improvement Act will bring the awareness needed to software security, as experts predict that by 2025 there will be more than 75 billion connected devices. Eclypses stays current with all NIST-approved cryptography and uses these standards in a proactive way. We choose to stay ahead of the mandates by providing a toolkit that can be modified and adheres to NIST guidelines.

MTE Technology

The MTE technology is utilized in the MTE toolkit to enhance data security on your mobile applications (MTE Mobile), IoT devices (MTE Connect), and web browser sessions (MTE Web). If you would like to learn about how our MTE technology can work for your organization, please email us directly at [email protected].

Security Magazine
Gov Info Security
Jones Day